Overview

overview

10

Static

static

3

c0bb63dd4c...66.exe

windows7-x64

10

c0bb63dd4c...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 13:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0bb63dd4cb7e09fed8ac253c05d6666.exe

  • Size

    28.8MB

  • MD5

    c0bb63dd4cb7e09fed8ac253c05d6666

  • SHA1

    270af337cebb05822fc02046b849626b0d773528

  • SHA256

    fee83b417fef1503b9107eca4dd77b23e68066b49dcd0ec8dc23bca197575b12

  • SHA512

    c660c97c1cea1826011d0d429ac0f8aaec719f7df59b50206a5aafda0ee6e7592b1ebdfc6cc767a68e711eb331782a648df0e306214e10d99da5f71a55f8e1bf

  • SSDEEP

    786432:6IXRMHC78lK7s5LRbjpDmmxWMMJwB+XphB+HJQp6yUIKqB7:nRMHC6dtjMOWMH4hEU3D7

Score
10/10
raccoon7d45004cd75c003e1e509249826aef9c581bfc4astealer

Malware Config

Extracted

Family

raccoon

Version

1.7.3

Botnet

7d45004cd75c003e1e509249826aef9c581bfc4a

Attributes
  • url4cnc

    https://t.me/mohibrainos

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer V1 payload 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0bb63dd4cb7e09fed8ac253c05d6666.exe
    "C:\Users\Admin\AppData\Local\Temp\c0bb63dd4cb7e09fed8ac253c05d6666.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\is-DDK5G.tmp\c0bb63dd4cb7e09fed8ac253c05d6666.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DDK5G.tmp\c0bb63dd4cb7e09fed8ac253c05d6666.tmp" /SL5="$A011E,29343612,865792,C:\Users\Admin\AppData\Local\Temp\c0bb63dd4cb7e09fed8ac253c05d6666.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Program Files (x86)\PHvFAHQcrMumh_PHvFAHQcrMumhPHvFAHQcrMumh\iobituninstaller.exe
        "C:\Program Files (x86)\PHvFAHQcrMumh_PHvFAHQcrMumhPHvFAHQcrMumh\iobituninstaller.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Users\Admin\AppData\Local\Temp\is-A9BF8.tmp\iobituninstaller.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-A9BF8.tmp\iobituninstaller.tmp" /SL5="$8016C,27490653,137216,C:\Program Files (x86)\PHvFAHQcrMumh_PHvFAHQcrMumhPHvFAHQcrMumh\iobituninstaller.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3248
          • C:\Users\Admin\AppData\Local\Temp\is-3MB2E.tmp\IUInstaller\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\is-3MB2E.tmp\IUInstaller\Setup.exe" /setup "C:\Program Files (x86)\PHvFAHQcrMumh_PHvFAHQcrMumhPHvFAHQcrMumh\iobituninstaller.exe" "" "/Ver=10.5.0.5"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            PID:3220
      • C:\PHvFAHQcrMumhPHvFAHQcrMumhPHvFAHQcrMumh\aFCDKiW1DOxXjGm.exe
        "C:\PHvFAHQcrMumhPHvFAHQcrMumhPHvFAHQcrMumh\aFCDKiW1DOxXjGm.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4760
        • C:\PHvFAHQcrMumhPHvFAHQcrMumhPHvFAHQcrMumh\aFCDKiW1DOxXjGm.exe
          C:\PHvFAHQcrMumhPHvFAHQcrMumhPHvFAHQcrMumh\aFCDKiW1DOxXjGm.exe
          4⤵
          • Executes dropped EXE
          PID:4360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PHvFAHQcrMumhPHvFAHQcrMumhPHvFAHQcrMumh\aFCDKiW1DOxXjGm.exe
    Filesize

    440KB

    MD5

    322cd9344a6af47e0e2c2bb5065b4dd5

    SHA1

    e618a3974624581047b88689de1211314fdfe861

    SHA256

    39d49673f0ee8bdca239f0f95d14d13c01e039fcb2cbf1fe3c057e107f49193f

    SHA512

    ec556527556867431fdfa552b9ad97402da1a7b86c72513e22ec075659393c5e33719a705a02d5fc0bb73b2f038b396c955d82b886f86bdd9559e2b039a39645

    Download Submit

  • C:\Program Files (x86)\PHvFAHQcrMumh_PHvFAHQcrMumhPHvFAHQcrMumh\iobituninstaller.exe
    Filesize

    4.6MB

    MD5

    a909d6079ad584f5e84ef4bd150b5466

    SHA1

    f34110f9d062027ba56ba28a066a2dfabee84339

    SHA256

    9b3c171b659cc96b34ade2923ec3ecb84e38a325f33dde11ff31ecbe29485d6e

    SHA512

    fde62b3512fd6f6649d9e4cc05b14107b2b2c648f14351384fcdfe3e774046f6fa5e177758b8fd7abf274d8dbbc1a0954b77223ff93c479cbcbe358f90ba9782

    Download Submit

  • C:\Program Files (x86)\PHvFAHQcrMumh_PHvFAHQcrMumhPHvFAHQcrMumh\iobituninstaller.exe
    Filesize

    3.6MB

    MD5

    c1f58dfec0115727b91fbe2e0e21e7b8

    SHA1

    6103dae03daf359b896dd3d1cd0a3368064af552

    SHA256

    a301a468e99657753f485ab70efea93030944f8611da5ce70ed1fdd06a4f209f

    SHA512

    86c40bb67f58cc21b497bac75d020e896bd1e048d4cbfe53add2e4f4278aeefa473b626c5584279b51e48226a9400336605ee2e0581e748794678ed6ca06e5e2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-3MB2E.tmp\Setup.exe
    Filesize

    6.9MB

    MD5

    216c9dcd06e747229c32effa7830678e

    SHA1

    64ad666fa30ffbefcd027acacaf7922d2dcd1621

    SHA256

    b829703d72252bedebb6e28dbfd494e52cb7a3d9e816e32bfb0f77eda1d83d30

    SHA512

    23e6037aa3569b759573898eb7769809d55b9a7dbd578285bbdcbef82585486d102a49595b261fb7ce1fd37e3c3401fea666667c782ad3a7721e21996e291fcf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-A9BF8.tmp\iobituninstaller.tmp
    Filesize

    1.2MB

    MD5

    7d3f62a9d1a1b6a0ef32a4f4f57f9184

    SHA1

    0d7a1b42b8bab72f72a590b44b0b73c31bd2bf92

    SHA256

    552891e5a459be9cfe618eb72f0751a66b1cd134a4fb0f0f9671cdf1c119867a

    SHA512

    9f8880957b9cf2fbbbf0b7f2fa5a2f836c3855222ad0b0bebf22e2844e2bf958ab1dce2c40e3e5f017215ef713964936090540c8f67766742c76eab55dd7838b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-DDK5G.tmp\c0bb63dd4cb7e09fed8ac253c05d6666.tmp
    Filesize

    2.6MB

    MD5

    17fee21411b1a8b3b2785dc0fabdd67e

    SHA1

    08c4a0ed00698c2e98455752f32c141fbff1ed0b

    SHA256

    c9d2c26597f6b184edd5be04df0765f7c3c00d1e99731c2e78b0ecb135d39d83

    SHA512

    9808b7371dd60798325a19670612f05d49fe0c591598cd36b9ff7772265961579a27af900f556e1d9eef01259f93cb2b58a37867dc474d1d581441f1283db9cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mpb.cfg.45362.5718902546.ini
    Filesize

    6KB

    MD5

    3c0a6b1b636eb6e6e2027a01861b313f

    SHA1

    22ed5eefe6e2681deecdfe4add4cf6605d4557f7

    SHA256

    ff2a11b42e4dae2659f88c7b19543f13a77172ce07315bf44e5fbf3bbd702d35

    SHA512

    3ac93d936dbb2b871f4eb604f15aadf9da7224b485655d532aed1de760534a7b13d8b44b9ea81d42d44058b954791d0e7ee1514f831ad1989cd4caf6ccde56b1

    Download Submit

  • memory/2100-0-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/2100-25-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/2968-13-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2968-51-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3220-54-0x00000000048B0000-0x00000000048B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3220-56-0x0000000004240000-0x0000000004250000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3220-76-0x0000000004210000-0x0000000004211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3220-78-0x0000000004240000-0x0000000004250000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3220-63-0x0000000000400000-0x0000000000B37000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/3220-52-0x0000000004210000-0x0000000004211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3220-53-0x0000000004890000-0x0000000004891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3220-55-0x0000000005E60000-0x0000000005E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3248-48-0x0000000000400000-0x0000000000530000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3248-32-0x00000000020A0000-0x00000000020A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4028-20-0x0000000000400000-0x000000000069C000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4028-5-0x0000000002790000-0x0000000002791000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4360-69-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

    Download

  • memory/4360-80-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

    Download

  • memory/4360-75-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

    Download

  • memory/4360-73-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

    Download

  • memory/4360-72-0x0000000000400000-0x0000000000495000-memory.dmp

    Filesize

    596KB

    Download

  • memory/4760-65-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4760-68-0x0000000004DC0000-0x0000000004DDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4760-74-0x0000000073440000-0x0000000073BF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4760-67-0x0000000004E00000-0x0000000004E76000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4760-66-0x0000000002800000-0x0000000002814000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4760-31-0x0000000073440000-0x0000000073BF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4760-64-0x0000000073440000-0x0000000073BF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4760-26-0x00000000004B0000-0x0000000000522000-memory.dmp

    Filesize

    456KB

    Download